------------------------------------------------------------------
Steven C. Timm, Ph.D (630) 840-8525
[EMAIL PROTECTED] http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group Leader.
On Thu, 26 Jun 2008, Charles Bacon wrote:
As an experiment, can you tell me what happens if you run the job in two
parts:
First, try -submit -batch -o foo.epr
Check what hostname/IP shows up in the EPR as the endpoint of the service.
<ns00:EndpointReferenceType
xmlns:ns00="http://schemas.xmlsoap.org/ws/2004/03/ad
dressing"><ns00:Address>https://131.225.167.18:9443/wsrf/services/ManagedExecuta
bleJobService</ns00:Address><ns00:ReferenceProperties><ResourceID
xmlns="http://
www.globus.org/namespaces/2004/10/gram/job">da7e0c90-4388-11dd-96e1-d1739b31397d
</ResourceID></ns00:ReferenceProperties><wsa:ReferenceParameters
xmlns:wsa="http
://schemas.xmlsoap.org/ws/2004/03/addressing"/></ns00:EndpointReferenceType>
that's the wrong IP, it should be the other one.
Then, try a -monitor -j foo.epr
We get essentially the same error as before.
bash-3.00$ globusrun-ws -monitor -j foo.epr -F fnpcosg1.fnal.gov:9443 -Ft
Condor
globusrun-ws: globus_i_monitor.c::1743:
Error subscribing
ManagedJobService_client.c::8195:
Failed sending request ManagedJobPortType_Subscribe.
globus_xio_gsi.c:globus_l_xio_gsi_read_token_cb:1183:
gss_init_sec_context failed.
GSS Major Status: Unexpected Gatekeeper or Service Name
init_sec_context.c:gss_init_sec_context:284:
Authorization denied: The name of the remote host (fnpcosg1.fnal.gov), and
the expected name for the remote host (fnpc3x1.fnal.gov) do not match.
This happens when the name in the host certificate does not match the
information obtained from DNS and is often a DNS configuration problem.
>
If the fnpc3x1 name is showing up in the EPR, that's what we have to fix. I
assume GLOBUS_HOSTNAME is set in the environment of the container - what is
it set to?
as far as I can tell, GLOBUS_HOSTNAME is not set in the environment
of the container. What's the best way to set it in a VDT environment?
I did set GLOBUS_HOSTNAME before I installed the VDT, to fnpcosg1.
I am now running the container in full-out debug mode so if there
are any logs you need to see, let me know.
Steve Timm
Charles
On Jun 25, 2008, at 11:32 PM, Steven Timm wrote:
I have the following
A host with two public IP's
fnpc3x1.fnal.gov 131.225.167.18
fnpcosg1.fnal.gov 131.225.166.2
"hostname" returns fnpc3x1.fnal.gov
I want to offer the globus web services only on the 2nd ip.
fnpcosg1.fnal.gov.
hostcert.pem/hostkey.pem have host cert with fnpcosg1.fnal.gov
in the subject. so does containercert.pem/containerkey.pem
DNS is OK both ways.
Globus pre-ws works ok, so does gsiftp.
on a globusrun-ws I get the following:
globusrun-ws -submit -F fnpcosg1.fnal.gov:9443 -Ft Condor -J -s -c
/usr/bin/id
Delegating user credentials...Done.
Submitting job...Done.
Job ID: uuid:a0ee8f04-4338-11dd-8cba-001422086c92
Termination time: 06/27/2008 04:30 GMT
globusrun-ws:
globus_service_engine.c:globus_l_service_engine_session_started_callback:2744:
Session failed to start
globus_xio_gsi.c:globus_l_xio_gsi_read_token_cb:1335:
The peer authenticated as
/DC=org/DC=doegrids/OU=Services/CN=fnpcosg1.fnal.gov.Expected the peer to
authenticate as /CN=host/fnpc3x1.fnal.gov
-------------
the interesting thing is that the job in question *does* get submitted
to condor, and run, but I get no stdout/stderr back.
I have grepped every single file in globus and see no reference
to the base ip anywhere in any config file. What if anything did
I do wrong?
Steve Timm
------------------------------------------------------------------
Steven C. Timm, Ph.D (630) 840-8525
[EMAIL PROTECTED] http://home.fnal.gov/~timm/
Fermilab Computing Division, Scientific Computing Facilities,
Grid Facilities Department, FermiGrid Services Group, Assistant Group
Leader.
